Cyber Detective CTF Writeup

9 min readNov 29, 2021

Cyber Detective CTF is an OSINT-focused capture-the-flag(CTF). It is created by the Cyber Society(CyberSoc) at Cardiff University. The challenges are divided into three categories: Life Online, Evidence Investigation, and General Knowledge. The third category, which is General Knowledge is just basic stuff that can be searched online, so I won’t write about it.

Life Online

This is our target’s Twitter account. By scrolling down his feed, we can see he retweeted something from Barack Obama and Ron Wyden.

Both Obama and Wyden are members of the Democratic Party.

Looking at his feed, James references a website called what3words.

By using the words from his bio, we can pinpoint where James grew up at.

James had posted a picture of the railway station he used to get home from work.

By using Yandex reverse image search, we can see a similar image posted by James. The picture is taken at Cardiff Central Railway Station.

This Sarah must be related to our first person of interest (James) one way or another. We need to look into James’ followers and followings list. In his followers' list, there’s Sarah Luxton(@sarah_luxton).

Sarah posted a picture back in February 2020 about a place she will go on holiday. Still using the Yandex reverse image search, we now know that the picture is related to Perth, Australia.

From her bio, “Buster’s favorite place: 51.947528, -3.393953”. Buster may be the name of her dog and these numbers look like a coordinate. We search this coordinate by using Google Map, and the town in question is Brecon.

George Watson(@GeorgeWatson428) is another coworker of James.

His password, “aW1hbWF6aW5nMTIz”, looks like it’s been encoded to Base64. We can decode it by using an online tool such as CyberChef to obtain the original password. Just a reminder, Base64 is not encryption, it’s an encoding and it’s not safe.

There is a tweet from Pearce Rees(@PearceRees), maybe another coworker, and a picture of a desk.

James’ Twitter header is blue and green eyes. We need to click on the header’s picture to see the hidden text.

George share a screenshot of a meme sent from his boss to the world and accidentally shared sensitive data, which is his access key.

The party is happening at Pearce’s place at Llanedeyrn Road, Cardiff.

There are many ways to find bus route’s number such as by searching at the bus operator website. For this case, it is Cardiff Bus. For me, the easiest way is by using Google Maps. First, set the starting point at Principality Stadium and the destination at Llanedeyrn Road. Next, choose transit as a mode of transportation.

Evidence Investigation

The first step is to Google the plate number. It then shows a registry lookup site.

We need to use The Wayback Machine for this one. Just type in the URL at the search box and we can see all the snapshots. There are six snapshots available, and we need to view each of them until found the correct one.

It is a copy of the boarding pass with a huge barcode. We can crop the barcode and scan it using an online barcode reader to get the details.

The easiest way to find out where the camera’s location is by using WHOIS lookup. At the country field, we can see that this camera is in Belgium.

It is a confirmation statement for a company called Technology Services Limited. We can get more information on UK companies here. We can use the company number to find the information.

If we go to the Filling History, we will come to a “Total exemption full accounts” PDF that we can look through. Within this, there is a balance sheet.

Notice the “cash at bank” portion, €102,347.

The feed is marked at Bornholm Airport which is located in Ronne, Denmark. Google search shows that the first flight is to Copenhagen at 06:15

The flight duration from Ronne to Copenhagen is 40 minutes. Add that to 06:15, we get the time of arrival at 06:55.

Using the tool provided, we can decode the image and extract it to a text file


Meet me at London Heathrow Airport at the usual time where we will begin executing our plan.


Searching for “The Birchmount Lofts” on Google brought us to results showing that this is a vet clinic called the Birchmount Animal Hospital located in Canada. We then go to the vet clinic’s website and click on the location.

It is a Morse Code. We can use CyberChef to decode it.

We use Google Map and look up the intersection Amherst Cres & Ivor St. Drop to street view, and we can find our guy.

One way to get information on wireless networks is by using WiGLE. We just type in the SSID and zoom in on the Bristol area.

The PDF is just a blank page, but we hit select all, we can see the code for the lock.

The device model can be obtained by looking at the picture’s metadata. Metadata is the information and specific details concerning a particular image file. We can use ExifTool to extract the metadata for this picture.

This is an XOR encryption. Again, we can decrypt it by using CyberChef.

By clicking the link, it brings us to a Pastebin with Arabic characters. If we look closer, there are a few words that are not Arabic. I am confident that one of the words is our flag. To avoid any hassle, I created a Python script to translate all the non-Arabic words into English.

We can go to Land Registry’s price paid dataset here and enter the date of transaction and the price paid for the property.

There was only one transaction that day, and the previous owner of the property was Tesco.

We need to click all the links and change the date to February 1st, 2020. I collect all the opening prices and create a Python script to multiple the open price with the amount of Bitcoin received.

We can see a nice even number, 50000, which is in Australian Dollars.